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Amendments to the Claims : 

This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1. (Previously Presented) A computer implemented method comprising: 

retrieving connection pairs from a connection table for a host that is attempting to gain 
access to another host in a networked computer system; 

determining whether that one host attempting to gain access has accessed the other host 
previously; and if that one host has not accessed the other host previously, 

determining if other anomalies in the connection patterns of each host exist to establish 
an event severity level indicating a likelihood that the host attempting to access another host is 
attempting an unauthorized access. 

2. (Original) The method of claim 1 wherein determining other anomalies includes 
determining whether previous connection patterns of the hosts indicate that the hosts are in roles 
that are not normal for the hosts. 

3. (Original) The method of claim 1 determining other anomalies includes determining 
whether the connection request uses the transport control protocol (TCP). 

4. (Previously Presented) The method of claim 3 determining other anomalies includes 
determining whether the connection requests use ports that are not well-known indicating a 
possible Trojan virus attack. 

5. (Previously Presented) The method of claim 3 determining other anomalies includes 
using heuristics to provide an indication to an operator that elevates severity of a possible 
unauthorized access event. 
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6. (Original) The method of claim 1 wherein determining other anomalies includes 
determining whether the connection requests use ports that have not been used previously. 

7. (Previously Presented) The method of claim 1 wherein determining other anomalies 

includes determining if several short connections occurred over a short time period by examining 
connection behavior between two hosts based on connection pattern data retrieved from the 
connection table. 

8. (Original) The method of claim 1 further comprising: 

determining whether conditions exist to decrease the severity assigned to an event. 

9. (Previously Presented) The method of claim 8 wherein determining whether conditions 
exist to decrease the severity assigned to an event, comprises: 

determining whether the hosts are in roles that commonly access each other. 

10. (Original) The method of claim 8 wherein determining whether conditions exist to 
decrease the severity assigned to an event, comprises: 

determining whether the host being connected to commonly receives connections from 
new hosts. 

1 1 . (Original) The method of claim 1 wherein determining if other anomalies in the 
connection patterns of each host exist fiirther comprises: 

determining whether conditions exist to decrease the severity assigned to an event; and if 
an event is still indicated, 

sending an event warning message with a determined level of severity to an operator. 

12. (Previously Presented) A computer program product embodied on a computer 
readable medium for detecting unauthorized access in a computer network comprising 
instructions for causing a computing device to: 
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retrieve connection pairs from a connection table for a host that is attempting to gain 
access to another host; 

determine whether that one host attempting to gain access has accessed the other host 
accessed previously; and if that one host has not accessed the other host previously, 

determine if other anomalies in the connection patterns of each host exist to establish an 
event severity level indicating a likelihood that the host attempting to access another host is 
attempting an unauthorized access. 

13. (Original) The computer program product of claim 12 wherein instructions to 
determine other anomalies includes instructions to determine whether previous connection 
patterns of the hosts indicate that the hosts are in roles that are not normal for the hosts. 

14. (Original) The computer program product of claim 12 wherein instructions to 
determine other anomalies includes instructions to determine whether the connection request 
uses the transport control protocol (TCP). 

15. (Previously Presented) The computer program product of claim 12 wherein 
instructions to determine other anomalies includes instructions to determine whether the 
connection requests use ports that are not well-known indicating a possible Trojan virus attack. 

16. (Previously Presented) The computer program product of claim 12 wherein 
instructions to determine includes instructions to use heuristics to provide an indication to an 
operator that elevates severity of a possible unauthorized access event. 

17. (Original) The computer program product of claim 12 wherein instructions to 
determine other anomalies includes instructions to determine whether the connection requests 
use ports that have not been used previously. 

18. (Previously Presented) The computer program product of claim 12 wherein 
instructions to determine other anomalies includes instructions to determine if several short 
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connections occurred over a short time period by examining connection behavior between two 
hosts based on connection pattern data retrieved from the connection table. 

19. (Original) The computer program product of claim 12 further comprising instructions 

to: 

determine whether conditions exist to decrease the severity assigned to an event. 

20. (Previously Presented) The computer program product of claim 19 wherein 
instructions to determine whether conditions exist to decrease the severity assigned to an event, 
comprises instructions to: 

determine whether the hosts are in roles that commonly access each other. 

21 . (Original) The computer program product of claim 19 wherein instructions to 
determine whether conditions exist to decrease the severity assigned to an event, comprises 
instructions to: 

determine whether the host being connected to commonly receives coimections from new 

hosts. 

22. (Original) The computer program product of claim 19 wherein instructions to 
determine whether conditions exist to decrease the severity assigned to an event, comprises 
instructions to: 

determine whether conditions exist to decrease the severity assigned to an event; and if an 
event is still indicated, 

send an event warning message with a determined level of severity to an operator. 

23. (Original) Apparatus comprising: 
a processing device; 

a memory; 

a computer readable medium storing a computer program product for detecting 
unauthorized access in a computer network comprising instructions for causing the device to: 
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retrieve connection pairs from a connection table for a host that is attempting to gain 
access to another host; 

determine whether that one host attempting to gain access has accessed the other host 
accessed previously; and if that one host has not accessed the other host previously, 

determine if other anomalies in the coimection patterns of each host exist to establish an 
event severity level indicating a likelihood that the host attempting to access another host is 
attempting an unauthorized access. 

24. (Original) The apparatus of claim 23 wherein instructions to determine other 
anomalies includes instructions to determine whether previous cormection patterns of the hosts 
indicate that the hosts are in roles that are not normal for the hosts. 

25. (Original) The apparatus of claim 23 wherein instructions to determine other 
anomalies includes instructions to determine whether the cormection request uses the transport 
control protocol (TCP). 

26. (Previously Presented) The apparatus of claim 23 wherein instructions to determine 
other anomalies includes instructions to determine whether the coimection requests use ports that 
are not well-known indicating a possible Trojan virus attack. 

27. (Previously Presented) The apparatus of claim 23 wherein instructions to determine 
includes instructions to use heuristics to provide an indication to an operator that elevates 
severity of a possible xmauthorized access event. 

28. (Original) The apparatus of claim 23 wherein instructions to determine other 
anomalies includes instructions to determine whether the coimection requests use ports that have 

not been used previously. 

29. (Previously Presented) The apparatus of claim 23 wherein instructions to determine 
other anomahes includes instructions to determine if several short connections occurred over a 
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short time period by examining connection behavior between two hosts based on connection 
pattern data retrieved from the connection table. 

30. (Original) The apparatus of claim 23 further comprising instructions to: 
determine whether conditions exist to decrease the severity assigned to an event. 

31. (Previously Presented) The apparatus of claim 30 wherein instructions to determine 
whether conditions exist to decrease the severity assigned to an event, comprises instructions to: 

determine whether the hosts are in roles that commonly access each other. 

32. (Original) The apparatus of claim 30 wherein instructions to determine whether 

conditions exist to decrease the severity assigned to an event, comprises instructions to: 

determine whether the host being connected to commonly receives connections from new 

hosts. 

33. (Original) The apparatus of claim 30 wherein instructions to determine whether 
conditions exist to decrease the severity assigned to an event, comprises instructions to: 

determine whether conditions exist to decrease the severity assigned to an event; and if an 
event is still indicated, 

send an event warning message with a determined level of severity to an operator. 



